pypi

4,707 tracked vulnerabilities.

CVE-2026-40525 CRITICAL
OpenViking Authentication Bypass via VikingBot OpenAPI
Apr 17, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-40320 HIGH
Giskard has an Unsandboxed Jinja2 Template Rendering in ConformityCheck
Apr 17, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-40319 MEDIUM
Giskard has a Regular Expression Denial of Service (ReDoS) in RegexMatching Check
Apr 17, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-40260 MEDIUM
pypdf: Manipulated XMP metadata entity declarations can exhaust RAM
Apr 17, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-31987 HIGH
Apache Airflow: JWT token appearing in logs
Apr 16, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-40192 HIGH
Pillow is vulnerable to a FITS GZIP decompression bomb
Apr 15, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-40256 MEDIUM
Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision
Apr 15, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-39845 MEDIUM
Weblate: SSRF via the webhook add-on using unprotected fetch_url()
Apr 15, 2026
CVSS 4.1
EPSS 0.00
CVE-2026-34393 HIGH
Weblate: Privilege escalation in the user API endpoint
Apr 15, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-34244 MEDIUM
Weblate: SSRF via Project-Level Machinery Configuration
Apr 15, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-34242 HIGH
Weblate: Arbitrary File Read via Symlink
Apr 15, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-33440 MEDIUM
Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads
Apr 15, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-33435 HIGH
Weblate: Remote code execution during backup restoration
Apr 15, 2026
CVSS 8.0
EPSS 0.00
CVE-2026-33220 MEDIUM
Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository
Apr 15, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-33214 MEDIUM
Weblate has improper access control for the translation memory API
Apr 15, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-33212 LOW
Weblate: Improper access control for pending tasks in API
Apr 15, 2026
CVSS 3.1
EPSS 0.00
CVE-2026-30625 CRITICAL
Upsonic 0.71.6 MCP Tasks - OS Command Injection
Apr 15, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-25219 MEDIUM
Apache Airflow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access
Apr 15, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-40683 HIGH
OpenStack Keystone <25.0.1 - Auth Bypass
Apr 14, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-40315 CRITICAL
PraisonAI: SQLiteConversationStore didn't validate table_prefix when constructing SQL queries
Apr 14, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-40289 CRITICAL
PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions
Apr 14, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-40288 CRITICAL
PraisonAI: Critical RCE via `type: job` workflow YAML
Apr 14, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-40287 HIGH
PraisonAI has RCE via Automatic tools.py Import
Apr 14, 2026
CVSS 8.4
EPSS 0.00
CVE-2026-33858 HIGH
Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API
Apr 13, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-1462 HIGH
Safe Mode Bypass in keras-team/keras
Apr 13, 2026
CVSS 8.8
EPSS 0.00
Products
tensorflow 427 tensorflow-gpu 421 tensorflow-cpu 417 Django 147 apache-airflow 111 Plone 96 open-webui 86 mlflow 70 apache-superset 67 salt 67 ansible 66 pillow 52 nova 48 gradio 46 rdiffweb 43 matrix-synapse 42 pyload-ng 41 vyper 39 vllm 38 keystone 36 moin 35 aiohttp 33 opencv-contrib-python 30 opencv-python 30 PraisonAI 27 pgadmin4 26 pypdf 24 glance 22 langflow 22 ethyca-fides 21
Quick Filters
Critical CVEs With Exploits In CISA KEV